<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://best.openssf.org/assets/css/style.css">
<link rel="stylesheet" href="checker.css">
<script src="checker.js"></script>
<script src="hardcoded.js"></script>
<link rel="license" href="https://creativecommons.org/licenses/by/4.0/">

<!-- See create_labs.md for how to create your own lab! -->
</head>
<body>
<!-- For GitHub Pages formatting: -->
<div class="container-lg px-3 my-5 markdown-body">
<h1>Lab Exercise hardcoded</h1>
<p>
This is a lab exercise on developing secure software.
For more information, see the <a href="introduction.html" target="_blank">introduction to
the labs</a>.

<p>
<h2>Task</h2>
<p>
<b>Please eliminate the hardcoded credentials in the sample code.</b>

<p>
<h2>Background</h2>
<p>
In this exercise, we'll remove a hardcoded credential (in this case a
password) embedded in the code.

<p>
<h2>Task Information</h2>
<p>

<p>
Please change the Java code below to eliminate hardcoded credentials.
The code logs in to a database system, but uses
the hardcoded username "admin" with hardcoded password "admin".
At the very least, the password should <i>not</i> be exposed by
being hardcoded into the source code.
A credential that needs to be kept secret, like a password,
is too exposed and too hard to change when it's hardcoded into the code.
It would also be wiser to <i>not</i> hardcode the username, since
the username might change.

<p>
For our purposes, we'll modify the code to retrieve the username and
password as environment variable values.
The username (second parameter)
will be in environment variable <tt>USERNAME</tt> while
the password (third parameter)
will be in environment variable <tt>PASSWORD</tt>.
In Java the expression <tt>System.getenv("FOO")</tt> retrieves
the value of environment variable <tt>FOO</tt>.

<p>
Environment variables aren't a perfect solution, since they are typically
accessible to the entire program.
Other better mechanisms may be available on your platform.
In this example we'll use environment variables because they're
portable, easy to use, and
<i>certainly</i> better than using a hardcoded credential.
Note: Java also supports including the username and password in the url, but
for purposes of illustration we will not use that alternative.

<p>
Use the “hint” and “give up” buttons if necessary.

<p>
<h2>Interactive Lab (<span id="grade"></span>)</h2>
<p>
Please modify the Java code below to eliminate the hardcoded password
and the hardcoded username.
<p>
<form id="lab">
<pre><code
><textarea id="attempt0" rows="3" cols="60" spellcheck="false"
>conn = DriverManager.getConnection(url,
     "admin", "admin");</textarea></code></pre>
<button type="button" class="hintButton">Hint</button>
<button type="button" class="resetButton">Reset</button>
<button type="button" class="giveUpButton">Give up</button>
<br><br>
<p>
<i>This lab was developed by David A. Wheeler at
<a href="https://www.linuxfoundation.org/"
>The Linux Foundation</a>.</i>
<br><br>
<p id="correctStamp" class="small">
<textarea id="debugData" class="displayNone" rows="20" cols="65" readonly>
</textarea>
</form>
</div><!-- End GitHub pages formatting -->
</body>
</html>
